Install Arch with LUKS
Pre-OS installation setup
ISO
Download an ISO image from here. The page should have the checksum available as well so verify the downloaded image to confirm it matches.
sha256sum foobar.tar.gz | sha256sum --check
Flush to USB
Find the path to the connected USB. It's likely going to be something like /run/media/USB_NAME
.
Then run the following command to flush the ISO to the USB.
dd \
bs=4M \
if=path/to/archlinux-version-x86_64.iso \
of=/dev/sdx \
conv=fsync \
oflag=direct \
status=progress
More details are available in this page.
Once the USB has been successfully flushed with the image, connect to the laptop/desktop and reboot it.
Make sure to change into boot manager control (usually pressing F12
on the manufacturer logo screen).
Notes
If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.
Filesystem setup
Connect to the internet
Within the console, iwctl
should be available. Follow the instructions here to get an internet connection established.
Create partitions
You should see the accessible devices when ran
lsblk
#
# NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
# nvme0n1 259:0 0 1.9T 0 disk
# ├─nvme0n1p1 259:1 0 512M 0 part /boot
# └─nvme0n1p2 259:2 0 1.9T 0 part
# └─root 254:0 0 1.9T 0 crypt /
Assuming it's an NVMe device, run the following to start the disk partitioning. Since there's no interesting in dual booting Linux with Windows, it's fine to just wipe everything in the disk.
cgdisk /dev/nvme0n1
Make sure to set the following partitions
1 512MB EFI partition # Hex code ef00
2 100% size partiton # (to be encrypted) Hex code 8300
EFI partition
Format the partition to be used.
mkfs.vfat -F32 -n EFI /dev/nvme0n1p1
Main filesystem partition
Setup LUKS for the partition to be used as the main filesystem.
cryptsetup \
-c aes-xts-plain64 \
--key-size 512 \
--hash sha512 \
--iter-time 3000 \
-y \
--use-random \
luksFormat /dev/nvme0n1p2
# Unlock it
cryptsetup luksOpen /dev/nvme0n1p2 luks
Then create the filesystem to be used
mkfs.btrfs -L main /dev/mapper/luks
Base system installation
Mount the system in preparation for bootstrapping OS.
# Use /mnt as the root for the target system
mount /dev/mapper/luks /mnt
# Add boot loader settings
mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot
Bootstrap system
pacstrap /mnt base base-devel \
linux linux-firmware \ # optional: linux-lts
# system related tools
zsh sudo efibootmgr dialog wpa_supplicant networkmanager dhcpcd systemd \
# editor
neovim vim \
# basic tooling
git tmux nix \
amd-ucode # or intel-ucode based on the CPU
fstab
Generate the base.
genfstab -pU /mnt | tee -a /mnt/etc/fstab
Append the following to the newly generated fstab
file.
This will make /tmp
a tmpfs
echo 'tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0' >> /mnt/etc/fstab
noatime
will reduces wear if using an SSD.
System setup
Enter the new system.
arch-chroot /mnt /bin/zsh
Setup system clock
ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
hwclock --systohc --utc
Set hostname
echo MYHOSTNAME > /etc/hostname
Set locale
Uncomment the desired locales from /etc/locale.gen
.
vim /etc/locale.gen
# en_US.UTF-8 UTF-8
# ja_JP.UTF-8 UTF-8
locale-gen
localectl set-locale LANG=en_US.UTF-8
Add the following too.
echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LC_ALL= >> /etc/locale.conf
Setup system users
passwd
Add a non root user with sudo
privileges.
groupadd MYUSERNAME
useradd -m -g MYUSERNAME -G wheel,storage,power,network,uucp -s /bin/zsh MYUSERNAME
passwd MYUSERNAME
Setup mkinitcpio
- Add the chosen filesystem to
MODULES
(e.g.btrfs
). - Add
encrypt
toHOOKS
beforefilesystems
.
Then regenerate the initrd
image.
mkinitcpio -p linux
Boot loader
Setup /boot
Bootstrap /boot
bootctl --path=/boot install
Add default entry to be loaded on boot.
echo default arch >> /boot/loader/loader.conf
echo timeout 5 >> /boot/loader/loader.conf
Setup default entry
Populate the default entry with output from blkid
.
blkid /dev/nvme0n1p2 > /boot/loader/entries/arch.conf
This will dump the needed information to proceed. Now open the file with an editor,
nvim /boot/loader/entries/arch.conf
and update the file to match something like this.
title Arch Linux
linux /vmlinuz-linux-lts
initrd /intel-ucode.img
initrd /initramfs-linux-lts.img
options cryptdevice=UUID=<UUID>:luks luks=/dev/mapper/luks rw # intel_pstate=no_hwp
UUID
should be the raw device ID from the output of the previous blkid
command that
the file was populated with.
Exit and reboot
Exit the system and reboot the laptop/desktop.
exit
umount -R /mnt
reboot
Post installation follow up
Internet connection
Once successfully booted into the new system, it should be a bare bones zsh session.
NetworkManager
should be installed already so use it to connect to the network first.
# Show available WiFi
nmcli d wifi list
# Connect
nmcli device wifi connect '<SSID>' password '<password>'
Refresh Arch mirrors
Make sure the mirror is up to date.
reflector --latest 50 --country 'United States' --protocol https --age 24 --sort rate --save /etc/pacman.d/mirrorlist
Laptop configuration
Download _config from GitHub. And make sure Nix is setup properly before proceeding.
Most of the laptop's basic system should be covered by Ansible
and Nix home-manager
.
TODO: Add audio setup to Ansible.